Critical IE Security Rollup
On March 28, Microsoft released a new critical Internet Explorer (IE) security rollup, so systems running IE with the security rollup Microsoft released in December are no longer current or secure. You need to update your browser with this most recent security rollup, which includes all previously released security hotfixes and patches for two new vulnerabilities.
The first new patch restricts a script embedded in a cookie to run only on the server that originally created the cookie. If you don't install this fix, a malicious user can embed a script in a cookie so that the script executes on the local machine. So, for example, if you manually open a cookie that contains an embedded script or you visit the Web site that created and stored the cookie, the script will run on the local system instead of on the Web server. If such a script executes locally, it can only perform operations and access resources available to the logged-on user. The patch forces such a script to run only in the zone where the script was originally created.
The second new patch eliminates a loophole that lets a malicious user format a Web page with an object tag that runs a known executable program on the local system. This vulnerability isn't as serious as it appears because the object tag avenue only lets an attacker run an executable that requires no arguments. The security bulletin states that "Microsoft is not aware of any programs installed by default in any version of Windows that, when called with no parameters, could be used to compromise the system."
For more information, read Microsoft Security Bulletin MS02-015 (Cumulative Patch for Internet Explorer). You can download the hotfix from Microsoft's Web site. Unlike previous IE rollups, you need only this download to update all versions from IE 5.01 through IE 6.0. The rollup has no uninstall option, so test the rollup thoroughly before you roll it out to production systems. This update is available at Windows Update but is not yet posted at the Corporate Windows Update site.
Critical Virtual Machine Hotfix
The latest Microsoft Virtual Machine (VM) hotfix, dated March 18, supercedes a hotfix of the same name that Microsoft released on March 4. You need this hotfix only if you manage Internet traffic with a proxy server because the vulnerability exploits the procedure that a proxy server uses to redirect Internet, but not LAN, traffic. Thus systems that connect to the Internet directly or through a firewall aren't at risk.
The most important feature in the VM hotfix is a defense against a variant of the original flaw that lets an attacker write a Java applet that redirects a machine’s Internet traffic to a Web site of the attacker’s choice. Pretty scary, huh? If you manage Internet connectivity with a proxy server, you need to apply this hotfix to all systems running VM 5.00.3802 and earlier. To determine the current VM version, run the jview command. On my system, the first line of jview’s output is "Microsoft (R) Command-line Loader for Java Version 5.00.3802," which indicates I’m running version number 3802. Fortunately, I don’t run a proxy server, so I can skip this hotfix.
You can read about the hazards of the redirect exploit in Microsoft Security Bulletin MS02-013 (Cumulative VM Update). You can download the VM hotfix here.
Post-Win2K SP2 Update Status
Although difficult to believe, as of March 28, Microsoft has released 743 changes for Windows 2000. Here are some of the problems that might affect new builds or services on your network. In most cases, you need to contact Microsoft Product Support Services (PSS) to obtain the patch.
Sysprep: When you use Sysprep to build new images, you can instruct the utility to generate computer names. A bug in the name-generation algorithm causes Sysprep to generate the same name for different systems. If this happens, you’ll see a "duplicate computer name" error message when the new system attempts to join the network. (For details see the Microsoft article "Duplicate Computer Names Are Created When Sysprep.exe Generates Random Computer Names" (Q317606).
RIS: If you use the Remote Installation Service (RIS) to install Windows XP or Win2K on a system with Intel network adapters, the text portion of Setup might generate an error stating that "the operating system you selected does not contain the necessary drivers for your network adapter." Microsoft didn't package this patch with the traditional hotfix utility, so you’ll need to follow the custom installation instructions in the Microsoft article "Error Message: The Operating System Image You Selected Does Not Contain the Necessary Drivers for Your Network Adapter. Try Selecting a Different Operating System Image. If the Problem Persists, Contact Your System Administrator" (Q315074).
IAS: A bug in the Internet Authentication Service (IAS) might cause the service to fail with an access violation code of 0xc00000005 when the service receives requests from a large, but unspecified, number of clients in a short time period. Microsoft released the hotfix for this problem on February 8. For details see the Microsoft article "Internet Authentication Service Hangs with a Large Number of Clients" (Q315592).
Commerce Server: A bug in the procedure Microsoft Commerce Server 2000 uses to create Lightweight Directory Access Protocol (LDAP) connections causes application performance to degrade over time. Instead of using cached information, Commerce Server recreates connections from scratch, which puts an unnecessary load on the system. The update contains new versions of 29 key OS files. Fortunately, the update is available for public download from Microsoft's Web site.
SMTP: This bug stung me a few weeks ago, so I thought I’d pass on a reminder. When I reapplied Win2K Service Pack 2 (SP2) to a Win2K server on which I administer a remote Microsoft Exchange Server 5.5 system, I couldn’t view the Internet Mail Connector (IMC) on the remote machine. In case you, too, have forgotten about this hiccup, both SP1 and SP2 remove the SMTP service. For more information, see the Microsoft article "SMTP Is Removed When You Upgrade to Windows 2000 Service Pack 1 or Service Pack 2" (Q294804).
COM+: Microsoft released Win2K Post-SP2 COM+ hotfix rollup package 19 in mid-March. This update contains all previously released updates and corrects several new problems, including several COM+ access violations. You must contact PSS to get the rollup. For details, see the Microsoft article "INFO: Availability of Windows 2000 Post-Service Pack 2 COM+ Hotfix Rollup Package 19" (Q318105).
